Skip to main content
NSD will print log messages to the system log (or logfile: configuration entry). This page covers common log messages and their meanings.

Severity Levels

NSD uses standard syslog severity levels:
  • LOG_CRIT - Critical errors requiring immediate attention
  • LOG_ERR - Error conditions
  • LOG_WARNING - Warning messages
  • LOG_NOTICE - Normal but significant conditions
  • LOG_INFO - Informational messages

Reload and Process Messages

Reload process <pid> failed with status <s>, continuing with old database
Severity: LOG_ERRMeaning: This log message indicates the reload process of NSD has failed for some reason. This can be anything from a missing database file to internal errors.Action:
  • Check zone file syntax with nsd-checkzone
  • Verify file permissions on zone files and database directory
  • Check system logs for more detailed error messages
  • Review recent changes to zone files or configuration
snipping off trailing partial part of <ixfr.db>
Severity: LOG_NOTICEMeaning: The file ixfr.db contains only part of expected data. The corruption is removed by snipping off the trailing part.Action:
  • This is automatically corrected by NSD
  • The zone will be served correctly
  • Consider investigating what caused the incomplete write (disk full, power failure, etc.)
  • IXFR history for affected zones may be incomplete
memory recyclebin holds <num> bytes
Severity: LOG_INFOMeaning: This is printed for every reload. NSD allocates and deallocates memory to service IXFR updates. The recycle bin holds deallocated memory ready for future use. If the number grows too large, a restart resets it.Action:
  • This is informational only
  • If the number grows very large (hundreds of MB or more), consider restarting NSD
  • Normal operation for servers with frequent zone updates
  • A restart will free this memory back to the system

Zone Transfer Messages

xfrd: max number of tcp connections (32) reached
Severity: LOG_WARNINGMeaning: This line is printed when more than 32 zones need a zone transfer at the same time. The value is a compile constant (xfrd-tcp.h), but if this happens often for you, we could make this a config option. NSD will reuse existing TCP connections to the same primary (determined by IP address) to transfer up to 64k zones from that primary. Thus this error should only happen with more than 32 primaries or more than 64*32=2M zones that need to be updated at the same time.Action:
  • More zones have to wait until a zone transfer completes (or is aborted) before they can have a zone transfer too
  • This waiting list has no size limit
  • Consider staggering zone update times
  • Ensure primary servers are responding promptly
  • This is only a concern for very large deployments

DNSSEC Messages

error: <zone> NSEC3PARAM entry <num> has unknown hash algo <number>
Severity: LOG_ERRMeaning: This error means that the zone has NSEC3 chain(s) with hash algorithms that are not supported by this version of NSD, and thus cannot be served by NSD. If there are also no NSECs or NSEC3 chain(s) with known hash algorithms, NSD will not be able to serve DNSSEC authenticated denials for the zone.Action:
  • Update NSD to a version that supports the hash algorithm
  • Re-sign the zone with a supported hash algorithm (SHA-1 is universally supported)
  • Check NSEC3PARAM records in the zone file
  • The zone will still be served, but DNSSEC validation may fail

Configuration Messages

No SSL, therefore TLS is disabled
Severity: LOG_WARNINGMeaning: NSD was compiled without OpenSSL support, so TLS (DNS over TLS) functionality is disabled.Action:
  • Recompile NSD with --with-ssl option
  • Install OpenSSL development libraries
  • TLS features will not be available
No TLS 1.3, therefore XFR-over-TLS is disabled
Severity: LOG_WARNINGMeaning: OpenSSL version does not support TLS 1.3, required for XFR-over-TLS.Action:
  • Update OpenSSL to a version supporting TLS 1.3
  • Zone transfers over TLS will not be available
  • Regular zone transfers will continue to work
can't bind tcp socket: <error>
Severity: LOG_ERRMeaning: NSD cannot bind to the configured TCP socket.Action:
  • Check if another process is using the port
  • Verify IP address is configured on the system
  • Check firewall rules
  • Ensure NSD has permission to bind to the port (ports < 1024 require root)
protocol not supported
Severity: LOG_ERRMeaning: The requested protocol (usually IPv6) is not supported by the system.Action:
  • Use --disable-ipv6 when compiling if IPv6 is not needed
  • Enable IPv6 support in the kernel
  • Remove IPv6 addresses from configuration if not available

File and Permission Messages

can't open <file>: <error>
Severity: LOG_ERRMeaning: NSD cannot open a required file.Action:
  • Check file exists
  • Verify file permissions
  • Check SELinux/AppArmor policies
  • Ensure directory permissions are correct
  • Verify user/group ownership

Query Processing Messages

query dropped: <reason>
Severity: LOG_INFOMeaning: A query failed sanity checks and was dropped.Common Reasons:
  • Malformed query packet
  • Invalid DNS message format
  • Query exceeds maximum size
  • Rate limiting triggered
Action:
  • This is usually due to malicious or broken clients
  • Monitor the num.dropped statistic
  • If very high, investigate source IP addresses
  • Consider firewall rules for persistent bad actors

Statistics and Metrics Messages

metrics operation completed, response sent
Severity: LOG_INFO (verbosity 3)Meaning: A metrics request was successfully processed and the response was sent.Action:
  • This is informational only
  • Indicates normal operation of metrics endpoint
metrics requested, but no stats enabled at compile time
Severity: LOG_NOTICEMeaning: Metrics were requested but NSD was compiled without statistics support.Action:
  • Recompile with --enable-bind8-stats to enable statistics
  • Metrics endpoint will return 204 No Content

System Resource Messages

out of memory
Severity: LOG_CRITMeaning: NSD has exhausted available memory.Action:
  • Increase system memory
  • Reduce number of zones
  • Enable --disable-nsec3 if NSEC3 is not needed (saves ~20% memory)
  • Consider --disable-radix-tree to use less memory
  • Check for memory leaks with long uptimes

Verbosity Levels

Control log verbosity with the verbosity option in nsd.conf or via nsd-control verbosity <number>:
  • 0 - Only errors and warnings
  • 1 - Operational information (default)
  • 2 - Full query logging (very verbose)
  • 3 - Debug information
nsd.conf
server:
    verbosity: 1

Log File Configuration

Configure logging in nsd.conf:
nsd.conf
server:
    # Log to file instead of syslog
    logfile: "/var/log/nsd.log"
    
    # Set verbosity level
    verbosity: 1
    
    # Log queries (verbosity 2 required)
    # verbosity: 2

Troubleshooting Tips

1

Check current log verbosity

nsd-control verbosity
2

Increase verbosity temporarily

nsd-control verbosity 2
3

View real-time logs

# For syslog
tail -f /var/log/syslog | grep nsd

# For custom logfile
tail -f /var/log/nsd.log
4

Rotate logs

nsd-control log_reopen

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us